Passwords – lots of passwords

We’ve been working with the OneSign folks at Imprivata, a great product that provides single sign on, and that reminded me of a research note we published back in 2006 (read it ). Here’s the problem with passwords: what’s the right balance between increased password security and lost productivity plus the likelihood users will write the password in an insecure location? More complex passwords increases lost time, increases password resets, and increases the number of sticky notes under the keyboard (10% of people we surveyed said they write their passwords on a sticky notes). Less secure passwords increases the chances of a security problem. I was speaking with a friend whose company requires a password change every 30 days, and you can’t reuse a password from the previous 24 months. Honestly, I can’t remember what I had for lunch last week, never mind the past 24 passwords I’ve used. The problem is that it wastes time. For a 3500 person company, an 10 extra seconds a day lost because of a password the employee may not remember correctly is almost 2500 hours a year, or more than a full employee. That’s a lot of real lost time for a possible increase in security. Not necessarily a good tradeoff. Now if you ask the security guys they’ll tell you complicated passwords are “best practices.” If you ask me, I think overly complicated password requirements like the ones that require symbols and the Latin name for a flower is past the balance point of security versus cost.